Why perform privileged collection in SharpHound

This article applies to BHE

Privileged collection allows BloodHound Enterprise to analyze Attack Paths based on non-centralized configurations, the local groups, active sessions, and user rights assignments configured on each domain-joined system in your environment. Without this data, BloodHound Enterprise will be limited in its ability to accurately assess the true risk each Attack Path poses to your environment.

Privileged collection is similar to performing a privileged vulnerability scan - without it, you will gain a lot of previously unknown information about your environment, however that presents you with a limited and less accurate picture of the risks present in your environment.

As an example, if BloodHound Enterprise identified the following set of Attack Paths in a given environment based on AD Structure alone:


Based on this view, the tree of Attack Paths on the left would present the greatest risk to this environment, now lets collect Local Group membership information from the domain:


BloodHound Enterprise has identified that a computer at the bottom of the right Attack Path tree has Authenticated Users (all users and computers contained within the current domains, and all domains trusted by the current domain) added as a local Administrator to a system at the beginning of one Attack Path.

After updating the exposure presented by this new information, BloodHound Enterprise would identify that the actual largest risk to this environment as the path on the right.